Related to: https://github.com/fleetdm/fleet/issues/32358
Changes:
- Updated the `deliver-contact-form-message` action to create a
historical event in our CRM when users submit the "Send a message" form.
Closes: https://github.com/fleetdm/fleet/issues/35222
Changes:
- Updated the `view-fleet-premium-trial-or-redirect` action to redirect
users who have purchased a self-service Fleet Premium license to their
customer dashboard.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Attempt at debugging #34776
Another attempt to further debug this issue. This attempt tries to
verify that the scopes for the token is correct, and is not overriden by
another call to the scopes.
The reason is that the `www-authenticate` response header is saying
`error="insufficient_scope"`
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Attempt at solving #34776
This was verified by extracting the create topic, and getIamPolicy, and
without the flow.build it worked fine, but when added it started
failing.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34776
Adds delay to subsequent retries on creation of Android enterprise
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/34776
Changes:
- Updated the create-android-enterprise endpoint to retry the
getIamPolicy and setIamPolicy methods when creating a new android
enterprise.
This PR adds a small log warn statement to the fleetdm proxy for a 400
error on creating enterprise that is not an invalid token.
See this slack thread about the issue, and missing error log to further
debug the issue, unless running it locally, and then it is sometimes not
reproducable.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
Haven't fully QA'd as I am not sure how to repro locally(when I test the
pubsub arrives before we ever run the reconciler) however this should
cause 4xx to be returned from the website instead of 5xx for android
unenrolled. We use the exact same code on a different endpoint
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34988 partially. This just helps reduce
alerts to help-p1 and implements the interface that the server is
expecting
Changes:
- Updated who gets assigned a Render trial instance in the website's
signup action
- Updated how RenderProofOfValue records are sorted when they are
assigned to a user
Related to: https://github.com/fleetdm/fleet/issues/33798
Changes:
- Updated the redirects for logged-in users for the /login and /register
pages to take users to the /try page.
- Updated the primary button color in the query generator and the
landing page generator stylesheet template
Changes:
- Updated the "Try it now" button on the website's header navigation, it
will now open a signup/login modal on every page (excluding the
dedicated /register and /login pages)
- Updated the website to assign Fleet Premium instances hosted on Render
to eligible users. All other users will be given a 30-day Fleet Premium
trial license key to use with their deployment method of choice.
- Added a script that creates and manages a pool of Render instances.
- Added a new database model: `RenderProofOfValue`
- Added four new email templates
- Updated primary button colors to match the core product.
- Removed the organization requirement for new users signing up.
- Added a new component: `<signup-modal>`
- Added a new attribute to the User model: `fleetPremiumTrialType`
Introduces a new event type for GitHub contributions to the
fleetdm/fleet repository across webhook controller and Salesforce helper
modules. This enables tracking and handling of user contributions in
addition to existing GitHub events.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#34299
Unreleased bug in Android Config profiles 4.75.0 feature. No changes
file as such. I'm not entirely sure how to cause this as I was unable to
repro it locally, there may be a timing issue or something, so I haven't
fully QA'd manually. QA was limited to verifying basic reconciler
functionality
Also updated Website endpoint to not throw a 5XX since we expect this to
occasionally happen
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [x] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [x] Added/updated automated tests
- [x] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [x] Confirmed that the fix is not expected to adversely impact load
test results
Added 'GitHub - Stared fleetdm/fleet' and 'GitHub - Forked
fleetdm/fleet' to the activity type arrays in webhook and Salesforce
helper modules to track new forms of user engagement.
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves#33848
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
- New Features
- Added support for the Security & Compliance project within the GitHub
integration, enabling tracking and visibility alongside existing
projects.
- Refactor
- Streamlined project mapping logic to improve consistency when
processing updates from GitHub; behavior for existing projects remains
unchanged.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Related to: https://github.com/fleetdm/fleet/issues/33266
Changes:
- Added a new helper
`sails.helpers.androidProxy.getIsEnterpriseManagedByFleet`. This helper
returns `true` if a provided Android Enterprise ID is present in the
list of all Android Enterprises managed by Fleet, or `false` if it is
not in the list.
- Updated `create-android-enrollment-token`,
`create-android-signup-url`, and `modify-android-policies` to return a
404 response to the requesting Fleet instance if their Android
Enterprise is not managed by Fleet.
Closes: #33548
Changes:
- Added a new configuration variable
`sails.config.custom.bannedEmailDomainsForContactFormSubmissions` that
contains a list of domains (currently a single domain) that cannot be
used to submit the contact form
- Updated the `bannedEmailDomainsForWebsiteSubmissions` list to include
`example.com`
- Updated the deliver-contact-form-message action to return an
`invalidEmailDomain` exit if the contact form is submitted with an email
domain in the `bannedEmailDomainsForContactFormSubmissions` list
Closes: #33548
Changes:
- Added `isEmail` validation to emailAddress inputs. The updated
endpoints will now return 400 responses if a user bypasses the frontend
validation.
Closes: #33454
Changes:
- Updated the receive-from-github webhook to log warnings that includes
information about the affected issue/pr if requests to the GitHub API
fail.
Changes:
- Updated the receive-from-clay webhook's inputs to have the same `isIn`
lists as the helpers the webhook uses.
- Removed the `invalidContactOrAccountCriteria` and
`invalidHistoricalEventCriteria` exits in the receive from clay webhook.
Related to: https://github.com/fleetdm/confidential/issues/11779
Changes:
- Updated the `deliver-talk-to-us-form-submission` to use information
returned by the getEnriched helper to determine the Calendly event users
are taken to when they submit the form.
Closes: https://github.com/fleetdm/confidential/issues/12218
Changes:
- Added a testimonial from David Bodmer
- Updated the device management testimonials shown on the MDM page,
homepage, and testimonials page
Related to: https://github.com/fleetdm/confidential/issues/10737
Changes:
- Added `docs/scripts.yml`, a YAML file that contains a list of scripts
- Added `docs/mdm-commands.yml`, a YAML file that contains Windows and
Apple MDM commands
- Added `/mdm-commands`, a page that contains a list of MDM commands for
Windows and Apple commands
- Added `/scripts`, a page that contains a list of scripts
- Updated the `<docs-nav-and-search>` component to have a link to the
controls library, and reordered the lists.
- Updated the build static content script to add the scripts and mdm
commands from scripts.yml and mdm-commands.yml to the website's
`builtStaticContent` configuration.
- Updated the layout of the os-settings page to match the latest
wireframes
Closes: https://github.com/fleetdm/fleet/issues/33148
Changes:
- Updated the receive-from-zoom webhook to return a `zoomApiError` exit
when Zoom returns a non-200 response when it sends an API request to get
information about a call.
Changes:
- Updated the `receive-redirect-from-microsoft` endpoint to redirect
users to their Fleet instance if an Entra admin did not consent to the
permissions requested by Fleet's compliance partner integration.
- Fixed a bug that prevented users from being redirected to their Fleet
instance if their Entra configuration is missing a required group
- Updated the `receive-redirect-from-microsoft` endpoint to require a
`state` input
Related to: #32228
Changes:
- Updated the `receive-redirect-from-microsoft` endpoint to assign the
created compliance policy to an Entra ID group named "Fleet conditional
access"
Fixes#30483
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added a new webhook endpoint to track GitHub Projects v2 item status
changes and record engineering metrics.
* Integrated with Google BigQuery for storing and analyzing issue status
transition data.
* **Chores**
* Introduced a new POST API route for receiving GitHub Projects v2 item
events.
* Added configuration options for GitHub webhook secrets and Google
Cloud service account keys (commented out for future use).
* Added a new dependency for Google BigQuery integration.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Related to: https://github.com/fleetdm/fleet/issues/31986
Changes:
- Updated Microsoft proxy endpoints to log API responses from Microsoft
when it runs for Fleet's dogfood integration.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
- [ ] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- [ ] Input data is properly validated, `SELECT *` is avoided, SQL
injection is prevented (using placeholders for values in statements)
- [ ] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes
## Testing
- [ ] Added/updated automated tests
- [ ] Where appropriate, [automated tests simulate multiple hosts and
test for host
isolation](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/reference/patterns-backend.md#unit-testing)
(updates to one hosts's records do not affect another)
- [ ] QA'd all new/changed functionality manually
For unreleased bug fixes in a release candidate, one of:
- [ ] Confirmed that the fix is not expected to adversely impact load
test results
- [ ] Alerted the release DRI if additional load testing is needed
## Database migrations
- [ ] Checked table schema to confirm autoupdate
- [ ] Checked schema for all modified table for columns that will
auto-update timestamps during migration.
- [ ] Confirmed that updating the timestamps is acceptable, and will not
cause unwanted side effects.
- [ ] Ensured the correct collation is explicitly set for character
columns (`COLLATE utf8mb4_unicode_ci`).
## New Fleet configuration settings
- [ ] Setting(s) is/are explicitly excluded from GitOps
If you didn't check the box above, follow this checklist for
GitOps-enabled settings:
- [ ] Verified that the setting is exported via `fleetctl
generate-gitops`
- [ ] Verified the setting is documented in a separate PR to [the GitOps
documentation](https://github.com/fleetdm/fleet/blob/main/docs/Configuration/yaml-files.md#L485)
- [ ] Verified that the setting is cleared on the server if it is not
supplied in a YAML file (or that it is documented as being optional)
- [ ] Verified that any relevant UI is disabled when GitOps mode is
enabled
## fleetd/orbit/Fleet Desktop
- [ ] Verified compatibility with the latest released version of Fleet
(see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/workflows/fleetd-development-and-release-strategy.md))
- [ ] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes
- [ ] Verified that fleetd runs on macOS, Linux and Windows
- [ ] Verified auto-update works from the released version of component
to the new version (see [tools/tuf/test](../tools/tuf/test/README.md))
<ins>*🌐 IT and Enablement:*</ins>
- Rename "🌐 Digital Experience" to "🌐 IT and Enablement" dept
- Rename "digital-experience.rituals.yml" to
"it-and-enablement.rituals.yml"
<ins>*🧑🚀 People*</ins>
- Create 🧑🚀 People dept
- Create "people.rituals.yml"
<ins>*🔭 CEO*</ins> (<= WHY? To maintain the [structure of the
handbook](https://fleetdm.com/handbook/company/leadership#outline-of-departmental-page-structure).)
- Create 🔭 CEO page and link to leadership
- Create ceo.rituals.yml
<ins>*💸 Finance*</ins>
- Renamed label "#g-finance" to ":help-finance" to match the rest of the
departmental labels.
---------
Co-authored-by: Eric <eashaw@sailsjs.com>
Closes: https://github.com/fleetdm/fleet/issues/31506
Changes:
- Updated the `create-android-enterprise` action to return a 409
response if a database record already exists for the Android enterprise.
Closes: https://github.com/fleetdm/confidential/issues/11365
Changes:
- Updated the User model's supported `primaryBuyingSituation` values.
- Updated the /start questionnaire to use the new
`primaryBuyingSituation` values.
- Updated the contact form to use the new `primaryBuyingSituation`
values.
Closes: https://github.com/fleetdm/fleet/issues/30914
Changes:
- Updated the `deliver-apple-csr` endpoint to return a
`csrMissingRequiredValue ` response when the provided unsigned CSR data
does not contain a required value.
Closes#30935
Changes:
- Updated created-android-signup-url to return a bad request response if
a provided callback URL cannot be used to create an Android Enterprise
signup URL.
Changes:
- Updated the `deliver-contact-form-message` action to send contact form
messages to our support email address
- Changed the subject of contact form messages sent by Fleet Premium
subscribers ("New contact form message" » "New Fleet Premium customer
message")
Closes: https://github.com/fleetdm/confidential/issues/11370
Changes:
- Updated the receive-from-zoom webhook to return a 200 response to Zoom
if a call has no transcript (e.g., the host stops the recording at the
start of the meeting).
Changes:
- Added a badRequest exit to the Microsoft compliance proxy's admin
consent redirect endpoint.
- Updated the Microsoft compliance proxy's admin consent redirect
endpoint to use the new exit if a request is missing either a tenant or
state value.
Closes: https://github.com/fleetdm/fleet/issues/30719
Changes:
- Updated the logged warnings in the receive-from-zoom webhook to
include the payload sent by zoom if the zoom API returns a 404 response
when the webhook attempts to get information about the call.
- Updated the receive-from-zoom webhook to log a detailed warning if a
speaker is missing an expected value.
Including Connor Hughes (MunkiMind) in "List of Humans"
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated the list of recognized GitHub bot and maintainer accounts to
include 'MunkiMind'.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes: https://github.com/fleetdm/fleet/issues/30714
Changes:
- Fixed a bug in the policy and query library pages that prevented
multi-platform queries and policies from being displayed in every
platform they are supported on.
Closes: https://github.com/fleetdm/confidential/issues/10867
Changes:
- Updated the route for the /app-library page and app details pages to
be at `/software-catalog` and added redirects.
- Updated places where we mentioned the app library to say "software
catalog" instead.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Updated all references and navigation paths from "app library" to
"software catalog" across the website.
* Updated internal links, breadcrumbs, and share URLs to use the new
"/software-catalog" path.
* Added redirects from old "app-library" URLs to the new
"software-catalog" URLs for seamless navigation.
* **Style**
* Updated descriptive text and metadata to reflect the new "software
catalog" terminology throughout the site.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Closes https://github.com/fleetdm/confidential/issues/11135
Closes https://github.com/fleetdm/confidential/issues/11134
Changes:
- Added two new testimonials to the /testimonials and /device-management
pages
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added two new testimonials focused on Linux desktop management,
enhancing the "Device management" section.
* Updated testimonial display order to include the new authors for
improved visibility in the relevant category.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Changes:
- Added `articles` to the list of supported article categories in the
build-static-content script.
- Added a route for articles in the articles category.
- Updated the `view-basic-article` action to support the new `articles`
category.
Changes:
- Added a script that sets a `fleetPremiumTrialLicenseKey` and
`fleetPremiumTrialLicenseKeyExpiresAt` values on all User records.
- Added a new email template to inform users that they have a new Fleet
premium trial available.
- Added the announcement banner to the /login, /register, and /try-fleet
pages.
Closes: https://github.com/fleetdm/confidential/issues/11058
Changes:
- Updated the receive from clay webhook to log a warning and return a
`couldNotCreateActivity` response if it receives information about a
contact record with no account record associated with it.
Closes: https://github.com/fleetdm/confidential/issues/10675
Changes:
- Added a new webhook: `receive-from-zoom`. When this webhook receives
an event indicating that a call recording is done processing, this
webhook will build the transcript and send it and information about the
call to a Zapier webhook, where it will be added to a new Google doc.
Related to: https://github.com/fleetdm/fleet/issues/26521
Changes:
- Added two pages that will be used for the Microsoft compliance proxy
(`/microsoft-compliance-partner/turn-on-mdm` &
`/microsoft-compliance-partner/remediate`)
Related to: https://github.com/fleetdm/fleet/issues/26270
Changes:
- Added a new database model: `AndroidEnterprise`
- Added one new website dependency: `googleapis@148.0.0`
- Added `android-proxy/create-android-signup-url`: an endpoint that
returns a signup url used to grant access to Fleet's Android MDM
integration.
- Added `android-proxy/create-android-enterprise`: An endpoint that
creates an Android enterprise for a Fleet server
- Added `android-proxy/create-android-enrollment-token`: An endpoint
that returns an enrollment token for an Android enterprise
- Added `android-proxy/modify-android-policies`: An endpoint used to
update policies of an Android enterprise
- Added `android-proxy/delete-one-android-enterprise`: an endpoint that
deletes an Android enterprise
---------
Co-authored-by: Victor Lyuboslavsky <victor@fleetdm.com>
Changes:
- Created a new database model: `MicrosoftComplianceTenant`. A model
that stores information about complaince tenants
- Added `/policies/is-cloud-customer`: a policy that blocks requests to
microsoft proxy endpoints if a `MS API KEY` header is missing or does
not match a new config variable
(`sails.custom.config.cloudCustomerCompliancePartnerSharedSecret`)
- Added `microsoft-proxy/create-compliance-partner-tenant`: an action
that creates a database record for a new compliance tenant and generates
an API key that is used to authenticate future requests to microsoft
proxy endpoints for an entra tenant.
- Added `microsoft-proxy/get-compliance-partner-settings`: an action
that returns information about Fleet's complaince partner entra
application and the entra tenant's admin consent status (whether or not
a tenant's entra admin has granted permissions to Fleet's compliance
partner application)
- Added `microsoft-proxy/get-tenants-admin-consent-status`: an action
that updates the admin consent status of a compliance tenant record.
- Added `microsoft-proxy/setup-compliance-partner-tenant`: an action
that provisions a compliance tenant, creates a complaince policy for
macOS devices assigns the created policy to the built-in "All users"
user group on the tenants entra instance.
- Added `microsoft-proxy/update-one-devices-compliance-status`: an
action that receives information about a device on a compliance tenant's
Fleet instance, sends that information to their Entra instance, and
returns the messsage ID returned by the asynchronus Entra API.
- Added `microsoft-proxy/get-one-compliance-status-result`: an action
that returns the result of a compliance status update from the Entra
API.
- Added `sails.helpers.microsoft-proxy.get-access-token-and-api-urls` A
helper that gets an access token for a tenant's entra instance and the
URLs of the API endpoints the microsoft proxy actions use for a tenant.
- Added `scripts/send-entra-heartbeat-requests` A script that will run
daily to keep all microsoft compliance integrations provisioned.
-
---------
Co-authored-by: Lucas Rodriguez <lucas@fleetdm.com>
Closes: https://github.com/fleetdm/confidential/issues/10921
Changes:
- Updated the registration form to direct users who don't have a work
email or don't want to create an account to the /try-fleet page.
- Updated the try-fleet page to have a box directing users who want to
demo Fleet Premium features to sign up for an account.
- Updated the try-fleet page's view action to generate trial licenses
for logged-in users who do not have a trial license key.
Fixes part of #29720.. Includes promoting some bolded to subheadings (in
wireframe docs).
---------
Co-authored-by: Sam Pfluger <108141731+Sampfluger88@users.noreply.github.com>
